On Fri, Jun 12, 2015 at 10:46:48AM +0100, Zé Loff wrote: > Hi all > > I have a IKEv1 setup that allows my roaming laptop (amd64 -current) to > connect to the office LAN (i386 patched 5.6) using outgoing NAT. Everything* > works fine, I can ssh machines, browse internal websites, the works. > > The office LAN has a machine (amd64 patched 5.4, I know, I know) with > some NFS shares. Any machine inside the LAN -- this includes my laptop > when "at home" -- can mount those shares and all works fine. > > However, when I'm roaming NFS mounts fail with mountd stating "Refused > mount RPC from host". As far as I can tell, this happens because for > some reason the request issued by the laptop comes from a not reserved > port (tcpdump confirms this) when the connection is made through the > tunnel. All requests made "at home" come from <2048 ports and everything > works fine there. > > Any ideas as to why the requests come from high ports when on the tunnel > and reserved ports when "at home" and, more importantly? Cluebats and > flamethrowers welcome. > > Thanks in advance > Zé > > > * Actually there's something weird going on with getent and DNS queries > through the tunnel, but I'll save that for some other time > > -- >
Just for the archives, I'm answering my own question (almost a year later): Cause: pf rewriting the source port when NATing, bumping it to >2048 Solution: add "static-port" to the match rule Cheers Zé
